Need help? Ask the community or hire an expert.

SubSeven is a backdoor program (such as NetBus, Back Orifice etc), which gives a hacker access to a system. The program consists in a Server and a Client program that can be remotely used on computer networks. Using the client, the hacker can invade a system infected by the Server (this is the Trojan). The new versions of SubSeven are also provided with an Editserver that helps in making different Server entries.

So, an infected system can be totally controlled using the Client. Until now, the following versions are known:
1. SubSeven Version 1.0 - 1.4
2. SubSeven Version 1.5
3. SubSeven Version 1.6
4. SubSeven Version 1.7
5. SubSeven Version 1.8
6. SubSeven Version 1.9 and SubSeven Apocalypse
7. SubSeven Version 2.0 - 2.2

1. SubSeven Version 1.0 - 1.4

When activated, the Server copies the virus in Windows. It also makes the following registry entry in win.ini, to ensure that the system start will activate the virus:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

In WIN.INI the entry can be found under "load=" or "run=". Unfortunately, the name of the copy is not standard, but in version 1.0-1.4 it is usually named "Systrayicon.exe", "window.exe" or "nodll.exe".

Removing:

First delete the registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

and if possible the win.ini entry under "load=" or "run=". Then restart Windows and delete the file "Systrayicon.exe", "window.exe" or "nodll.exe" from the Windows folder.

2. SubSeven Version 1.5

For the autostart function, it only needs the Win.ini file. The entry is under "run=".

Removing:

First delete the entry "run=kerne132.dl nodll" from Win.ini and then restart Windows. Then delete the Trojan files "window.exe", "nodll.exe" and "winduh.dat" from the Windows folder.

3. SubSeven Version 1.6

SubSeven version 1.6 uses only the registry for the autostart function. The entry is

First delete the above mentioned registry entry and restart Windows. Then delete the files "SysTray.exe", "imdrki_33.dll", "pddt.dat" and "rundll16.com" from Windows System (usually c:\windows\system).

4. SubSeven Version 1.7

This is the first version provided with "Editserver", which makes the removing more difficult, because the hacker can easily alter the Server.

and restart Windows. Then delete the files "kernel16.dl" in Windows and "watching.dll" in Windows System (usually c:\windows\system).

5. SubSeven Version 1.8

This version has a more developed "Editserver", which gives the hacker more
possibilities. Thus, the name or the infection spreading can be chosen. The infection can be done in 4 ways:
a. System.ini
b. Win.ini
c. Registry-Run
d. Registry-RunServices

Removing:

Considering that the infection is done in only one of the four ways, you must first find the entry used by the virus. So you must either:

a. modify the entry "shell=Explorer.exe kerne132.dl" from System.ini into
"shell=Explorer.exe",
b. delete the entry "run=kerne132.dl" from Win.ini,
c. remove the Registry-Key "Kernel32" (here might be eventually another name that you should note) under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
or
d. remove the Registry-Key "Kernel32" (maybe with another name) under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices.

Then restart the computer and delete the files "kerne132.dl" in Windows and
"MVOKH_32.dll" in Windows System. If according to c) or d) you found another name used for "kernel32.dll", delete the respective file.

6. SubSeven Version 1.9 und SubSeven Apocalypse

These versions are similar to version 1.8, except for the name of the file originally copied by the Server. There are also 4 ways of infection:
a. System.ini
b. Win.ini
c. Registry-Run
d. Registry-RunServices

Removing:

Considering that the infection is done in only one of the four ways, you must first find the entry used by the virus. So you must either:

e. modify the entry "shell=Explorer.exe mtmtask.dl" from System.ini into
"shell=Explorer.exe",
f. delete the entry "run= mtmtask.dl" from Win.ini,
g. remove the Registry-Key "Kernel32" (here might be eventually another name that you should note) under
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
or
h. remove the Registry-Key "Kernel32" (maybe with another name) under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices.

Then restart the computer and delete the file "mtmtask.dl" in Windows. If according to c) or d) you found another name used for "mtmtask.dl", delete the respective file.

7. SubSeven Version 2.0 - 2.2

Usually this version creates a file named MSREXE.exe in Windows. The server hides its virus under this name. Still, any name could be used. New to version 2.0 is the fact that the Server does not allow to be deleted and no application (*.exe) will be accessed. After deleting the Server, Windows too can't be started. Thus, the removing of SubSeven is more difficult.